Add MySQL Manager to MySQL policy module

Second submission to fix mistakes from first.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>

policy/modules/kernel/corenetwork.te.in

@@ -140,6 +140,7 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0)
 network_port(munin, tcp,4949,s0, udp,4949,s0)
 network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
 portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+network_port(mysqlmanagerd, tcp,2273,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netsupport, tcp,5405,s0, udp,5405,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0)

policy/modules/services/mysql.fc

@@ -6,6 +6,7 @@
 /etc/my\.cnf		--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 /etc/mysql(/.*)?		gen_context(system_u:object_r:mysqld_etc_t,s0)
 /etc/rc\.d/init\.d/mysqld --	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
 
 #
 # /usr
@@ -16,6 +17,8 @@
 
 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
+/usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
+
 #
 # /var
 #
@@ -25,3 +28,5 @@
 /var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
 
 /var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/var/run/mysqld/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)

policy/modules/services/mysql.if

@@ -237,6 +237,26 @@ interface(`mysql_write_log',`
 	allow $1 mysqld_log_t:file { write_file_perms setattr };
 ')
 
+#####################################
+## <summary>
+##	Read MySQL PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`mysql_read_pid_files',`
+	gen_require(`
+		type mysqld_var_run_t;
+	')
+
+	mysql_search_pid_files($1)
+	read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
+')
+
 #####################################
 ## <summary>
 ##	Search MySQL PID files.

policy/modules/services/mysql.te

@@ -32,6 +32,21 @@ logging_log_file(mysqld_log_t)
 type mysqld_tmp_t;
 files_tmp_file(mysqld_tmp_t)
 
+########################################
+#
+# MySQL Manager Declarations
+#
+
+type mysqlmanagerd_t;
+type mysqlmanagerd_exec_t;
+init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
+
+type mysqlmanagerd_initrc_exec_t;
+init_script_file(mysqlmanagerd_initrc_exec_t)
+
+type mysqlmanagerd_var_run_t;
+files_pid_file(mysqlmanagerd_var_run_t)
+
 ########################################
 #
 # Local policy
@@ -84,6 +99,7 @@ corenet_sendrecv_mysqld_client_packets(mysqld_t)
 corenet_sendrecv_mysqld_server_packets(mysqld_t)
 
 dev_read_sysfs(mysqld_t)
+dev_read_urand(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
@@ -161,3 +177,44 @@ mysql_manage_db_files(mysqld_safe_t)
 mysql_read_config(mysqld_safe_t)
 mysql_search_pid_files(mysqld_safe_t)
 mysql_write_log(mysqld_safe_t)
+
+########################################
+#
+# MySQL Manager Policy
+#
+allow mysqlmanagerd_t self:capability { dac_override kill };
+allow mysqlmanagerd_t self:process signal;
+allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
+allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
+
+mysql_read_config(initrc_t)
+mysql_read_config(mysqlmanagerd_t)
+mysql_read_pid_files(mysqlmanagerd_t)
+mysql_search_db(mysqlmanagerd_t)
+mysql_signal(mysqlmanagerd_t)
+mysql_stream_connect(mysqlmanagerd_t)
+
+kernel_read_system_state(mysqlmanagerd_t)
+corecmd_exec_shell(mysqlmanagerd_t)
+corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
+corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
+corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
+corenet_tcp_bind_generic_node(mysqlmanagerd_t)
+corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_var_run_t)
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_var_run_t)
+dev_read_urand(mysqlmanagerd_t)
+files_read_etc_files(mysqlmanagerd_t)
+files_read_usr_files(mysqlmanagerd_t)
+
+miscfiles_read_localization(mysqlmanagerd_t)
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
+
+domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
+filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
+manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)